{
  "threat_severity" : "Moderate",
  "public_date" : "2025-11-28T15:52:56Z",
  "bugzilla" : {
    "description" : "lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure",
    "id" : "2417718",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2417718"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input.", "A flaw was found in lz4-java. This vulnerability allows remote attackers to cause denial of service (DoS) and read adjacent memory via untrusted compressed input. This vulnerability affects only programs using the unsafe LZ4_decompress_fast API, known as the \"fast\" decompressor." ],
  "statement" : "This vulnerability affects the \"fast\" decompressor, this is due to the fact such implementation relies on LZ4_decompress_fast API of the lz4 C library. This function was deprecated in the lz4 library as it misses boundary checks and is considered insecure when processing untrusted inputs.\nRed Hat has considered this vulnerability as having a security impact of Moderate as the attack may be considered of a high complexity, additionally when exploited the attacker doesn't have full control over the memory read and its content.",
  "affected_release" : [ {
    "product_name" : "Red Hat build of Quarkus 3.20.4.SP1",
    "release_date" : "2026-01-06T00:00:00Z",
    "advisory" : "RHSA-2026:0131",
    "cpe" : "cpe:/a:redhat:quarkus:3.20::el8",
    "package" : "lz4-java"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.27.1.SP1",
    "release_date" : "2026-01-06T00:00:00Z",
    "advisory" : "RHSA-2026:0134",
    "cpe" : "cpe:/a:redhat:quarkus:3.27::el8",
    "package" : "lz4-java"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1",
    "release_date" : "2026-02-04T00:00:00Z",
    "advisory" : "RHSA-2026:1872",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8",
    "release_date" : "2026-02-04T00:00:00Z",
    "advisory" : "RHSA-2026:1870",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8",
    "package" : "eap8-wildfly-0:8.1.4-2.GA_redhat_00005.1.el8eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9",
    "release_date" : "2026-02-04T00:00:00Z",
    "advisory" : "RHSA-2026:1871",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9",
    "package" : "eap8-wildfly-0:8.1.4-2.GA_redhat_00005.1.el9eap"
  } ],
  "package_state" : [ {
    "product_name" : "Cryostat 4",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:cryostat:4"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Red Hat AMQ Clients",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:amq_clients:2023"
  }, {
    "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 4",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4"
  }, {
    "product_name" : "Red Hat build of Apache Camel - HawtIO 4",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 2",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:service_registry:2"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 3",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:apicurio_registry:3"
  }, {
    "product_name" : "Red Hat build of Debezium 2",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:debezium:2"
  }, {
    "product_name" : "Red Hat build of Debezium 3",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:debezium:3"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "jmc",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "streams for Apache Kafka 2",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Fix deferred",
    "package_name" : "lz4-java",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-12183\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-12183\nhttps://github.com/yawkat/lz4-java/releases/tag/v1.8.1\nhttps://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183" ],
  "name" : "CVE-2025-12183",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}